Major Security Bug Found in Web Encryption Tool

A security flaw found in a popular Internet encryption tool has sent companies and government agencies scrambling to plug the leak.

The bug in OpenSSL, a widely used encryption method, was discovered earlier this week by researchers at Google (GOOG) and cyber-security firm Codenomicon. According to a website created by Codenomicon, Neel Mehta of Google Security first reported it to the OpenSSL team.

In a notice on Tuesday, Amazon.com (AMZN) informed its Amazon Web Services customers that it applied fixes to resolve the OpenSSL vulnerability. Some of Amazon’s AWS services were unaffected.

Researchers believe Heartbleed, a nickname given to the OpenSSL flaw, already allowed cyber thieves to grab Yahoo (YHOO) usernames and passwords. The search giant said it addressed the problem for most of its properties, including Yahoo Search, Yahoo Mail, Flickr and Tumblr, by Tuesday afternoon.

“As soon as we became aware of the issue, we began working to fix it,” a Yahoo spokesperson said. “Our team has successfully made the appropriate corrections across the main Yahoo properties…and we are working to implement the fix across the rest of our sites right now. We’re focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users’ data.”

Based on a web tool from security firm Qualys, other major websites like eBay (EBAY), Google and Microsoft’s (MSFT) Outlook email service are not vulnerable to the Heartbleed attack.

The Canada Revenue Agency temporarily shut down its online services on Wednesday due to security concerns, just three weeks before an April 30 deadline for citizens to file taxes.

The security flaw was found in some versions of OpenSSL, a type of open-source software many websites use to encrypt communication over the Internet. Heartbleed could compromise usernames, passwords and credit card numbers that are stored on a server’s memory.

Using the loophole, cyber criminals are able to request chunks of data. While they can’t specify what information they want, such as one person’s username and password, hackers can gather enough data to piece it together.

Alex McGeorge, head of threat intelligence at security firm Immunity Inc., said e-commerce transactions and other online activities remain secure as they happen, although hackers could recover enough information to decrypt data as it’s sent to and from a server.

Web users must wait for corrections to be made on the server side. In the meantime, McGeorge advises that users avoid shopping and banking online until they are sure the patch was applied. Once the website completes that task, customers should change their usernames and passwords.

“Big companies will be proactive about this. It’s the smaller ones” that may be slow to respond, he said.

OpenSSL has made the security patch available, but system administrators may still be waiting for some Linux distributions to include the fix.

A security advisory from OpenSSL directed users to upgrade to OpenSSL 1.0.1g, while version 1.0.2 will be fixed in a pending beta update.

“I think we’ll see some good progress,” McGeorge said, noting the amount of attention Heartbleed is getting this week.

The Department of Homeland Security issued an alert to warn businesses about the bug, saying it “could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys.”

DHS also suggested that system administrators consider implementing Perfect Forward Secrecy, which would protect web communications from future breaches.